Play and fix OpenID authorization vulnerability

Friends have an old project, 100% consisting of bad code, sticks and incomprehensible substance.

A whitehat report arrives: they can log in on behalf of any user.

The project uses only the OpenID authorization system, most likely an ancient library. Web framework - Yii first version.

It is supposed to have an aural mode of operation, because the hot fix needs to be rolled out urgently, it is a prod.
Details in personal correspondence.